[Samba] Upgrading from Samba 4.0.1 to 4.1.6
Jason Waters
jwaters at h2os.com
Fri Mar 14 10:28:58 MDT 2014
I just grep'd the log file and found this, so I think you are correct
root at blhblahblah:/usr/local/samba-4.1.6/var# grep pem *
log.samba: invalid permissions on file
'/usr/local/samba/private/tls/key.pem': has 0644 should be 0600
log.samba: Invalid permissions on TLS private key file
'/usr/local/samba/private/tls/key.pem':
log.samba: Removing all tls .pem files will cause an auto-regeneration
with the correct permissions.
On Fri, Mar 14, 2014 at 11:53 AM, Jason Waters <jwaters at h2os.com> wrote:
> Marc,
> Great I will try that tonight. Thank you for the help! I will make
> sure I let you know if that fixed it or not.
>
> Jason
>
>
> On Fri, Mar 14, 2014 at 11:50 AM, Marc Muehlfeld <samba at marc-muehlfeld.de>wrote:
>
>> Hello Jason
>>
>> Am 14.03.2014 16:18, schrieb Jason Waters:
>>
>> Took a quick look in /usr/local/samba/var/samba.log and saw the ldap
>>> error.
>>>
>>
>> I guess you hit this fix:
>> http://www.samba.org/samba/history/samba-4.0.11.html
>>
>> CVE-2013-4476:
>> In setups which provide ldap(s) and/or https services, the private
>> key for SSL/TLS encryption might be world readable. This typically
>> happens in active directory domain controller setups.
>>
>>
>> You would have this in your logs, then:
>>
>> [2014/01/29 20:19:14.836873, 0, pid=4311] ../lib/util/util.c:161(file_
>> check_permissions)
>> invalid permissions on file '/usr/local/samba/private/tls/key.pem':
>> has 0644 should be 0600
>> [2014/01/29 20:19:14.843206, 0, pid=4311] ../source4/lib/tls/tls_
>> tstream.c:1125(tstream_tls_params_server)
>> Invalid permissions on TLS private key file
>> '/usr/local/samba/private/tls/key.pem':
>> owner uid 0 should be 0, mode 0644 should be 0600
>> This is known as CVE-2013-4476.
>> Removing all tls .pem files will cause an auto-regeneration with the
>> correct permissions.
>>
>>
>> This is about the TLS keys for LDAP encryption. Remove the key files and
>> restart Samba.
>>
>>
>> I've added this to the Wiki page, too, as we often had this problem on
>> the list in the past:
>> https://wiki.samba.org/index.php/Updating_Samba
>>
>>
>> Regards,
>> Marc
>>
>
>
More information about the samba
mailing list